It’s been nine months since May 25, 2018 when the General Data Protection Regulation (GDPR) went into effect in the European Union (EU). During this short period of time much has happened, including megabreaches that continue to occur throughout the world. The first GDPR enforcement actions are beginning to happen:
- The UK Information Commissioner’s Office issued its first GDPR notice against AggregateIQ, a small, Canadian data analytics company with fewer than 20 employees. They were targeted because they were improperly retaining data on UK individuals.
- Portugal’s national privacy regulator, CNPD, fined a major hospital near Lisbon €400,000 because nearly 1000 employees had doctor-level access to data, but they employed fewer than 300 doctors. This violation didn’t involve a data breach.
- The Austrian Data Protection Authority fined an entrepreneur €4,800 because they had a CCTV camera in front of their business recording a significant portion of the public sidewalk.
It’s not just the regulatory bodies that are enforcing GDPR—privacy lawyers are beginning to take action:
- On day one of GDPR, Austrian NGO NOYB filed complaints against Google, Facebook, Instagram, and WhatsApp for failing to obtain explicit consent to process users’ personal data.
- French NGO La Quadrature du Net is collecting signatures for a class action lawsuit against Facebook, Google, Amazon, Apple, and Microsoft, alleging that the “forced consent” should not be required to use their products and services.
Meanwhile, other countries are interested in enacting similar legislation. For example, the California Consumer Privacy Act (CCPA) in the US and the Brazilian General Data Protection Law (LGPD) are both scheduled to go into effect in early 2020.
The impacts of GDPR
Data breaches are very expensive and can irreversibly damage an organization’s brand and reputation. GDPR adds to that cost by imposing significant penalties for failing to follow its regulations. Another result of GDPR is that now many organizations are paying attention to privacy and implementing the protections that are the law of the land throughout the EU.
The challenges facing InfoSec organizations
There are many actions that organizations must take to comply with the GDPR. However, in this blog we’ll focus on the unique challenges facing organizations to ensure they are compliant before, during, and after a security breach.
How GDPR affects your organization
InfoSec operations have unique concerns because they need to protect the privacy of the people they are monitoring internally within the EU. Remember, GDPR compels you to not only protect the privacy of your customers and the general public in the EU, but also to protect the privacy of employees, partners, and contractors.
Five basic areas where organizations need to comply
To be GDPR compliant at a high-level, InfoSec organizations should do the following:
- Prepare and follow a comprehensive data privacy and protection plan.
- Follow proper data handling procedures at all levels of the organization.
- Continuously verify that your data security procedures and technologies are active and effective.
- Detect, mitigate, and investigate data breaches, and make breach notifications within 72 hours.
- Implement security by design, including making sure that default settings favor privacy.
How Exabeam helps you comply with GDPR
To be effective against issues related to GDPR, a security information and event management (SIEM) system needs access to as much data as possible. Ideally, the data is centralized so that it can be easily and efficiently analyzed and correlated. An important GDPR requirement is to detect and investigate data breaches, and to report data breaches within 72 hours of discovery. At best, this requirement can be challenging to meet when your analysts are continually investigating alerts that turn out to be false positives. One of the biggest challenges is becoming aware of true security issues before they turn into breaches so that actual threats are moved to the top of the queue.
Best practices for complying with GDPR
Complying with GDPR is a matter of consistent and systematic application of best practices, including:
- Monitoring data use and events to gain an understanding of normal versus risky user behavior
- Preventing data exfiltration through detection and prevention mechanisms
- Controlling access based on data classification and the principle of least privilege
- Designing processes to identify, notify, and respond to data breaches
Implementing organizational level security analytics that can monitor for insider threats to data is critical to create and maintain a GDPR-compliant network environment. Exabeam Data Lake and Advanced Analytics can help. Exabeam uses an integrated approach to privacy and security operations to satisfy GDPR requirements.
For more information about how Exabeam can help with GDPR compliance, see: